Despite often being presented as being designed to increase a user’s security and privacy, many Android VPN-based apps may actually be doing the opposite.
According to a CSIRO study of 283 Android VPN apps listed on the Google Play store, while 67% of the identified apps offer services putatively to enhance online privacy and security, 75% use third-party tracking libraries and 82% request access to sensitive data such as user contacts and text messages.
The report also found that over 38% of the apps contain some form of malware.
Moreover, 16% of the analysed apps appear to forward traffic through other participating users’ devices in a peer-forwarding manner — raising a host of trust, security and privacy concerns — and 18% implement tunnelling protocols that lack encryption.
Two of the VPN apps were found to be actively injecting JavaScript code on users’ traffic for advertising and tracking purposes, while four compromise users’ route store and actively perform TLS interception in transit. Three of these selectively intercept traffic specific to online services including social networks, banking, e-commerce sites, email and IM services.
Leave a Reply